PMI RMP – PERFORM QUALITATIVE RISK ANALYSIS

1. INTRODUCTION

Hi, and welcome to a new risk management process. Perform qualitative risk analysis, which is part of the planning processing group and the risk management knowledge area. So I want you to think about this process as the filtration process. Let’s assume you are managing a project with with more than 800 gathered risks from the identify risks process. Are you going to analyze the 800 risks we need to filter these risks? Some of them have low priority, some of them have high priority, some of them requires an urgent action. So all these decisions will be made as an output of the performed qualitative risk analysis process. It’s the filtration process of the long list you develop in the Identifier risks process.

It’s the process of prioritizing individual project risks for further analysis or action by assessing their probability for currents and impact as well as other character characteristics. This is what we are going to do in the qualitative or the subjective risk analysis process. We are going to prioritize the individual project risks we identified already in the Identifier risks process. We will have the primary output of this process as the list of prioritized risks.

The key benefit of the qualitative risk analysis process is that it focuses efforts on high priority risks. We are going to focus our efforts only on high priority risks as an output of the performed qualitative risk analysis. This process is performed throughout the project.

As I mentioned earlier, it’s an Iterative process and the methods of the qualitative risk analysis are applied to the list of risks created or updated as an output of the Identify risks process in order to provide project management with the characteristics of the risks that have the most influence on achieving the project objectives.

So this is again what we are going to do in the qualitative risk analysis process. We will apply all the qualitative tools and techniques of this process on the list of risks created as an output of the Identifier risks process and know the characteristics and know what are the risks with the most influence on achieving our project objectives. And one of the steps performed in the qualitative risk analysis is to categorize the risks according to the sources or causes.

 If several risks arise from a common source, sometimes it’s called a root cause. Risk responses might be more effective when they focus on addressing this root cause. A tool performed in this process is the risk categorization. So as explained in this paragraph, the risks will be categorized as a part of the qualitative risk analysis process to know and highlight the areas which are imposed to the highest risk exposure in the project. And this would help you plan risk responses for those areas with more consideration in a more effective way. The overall objective of the perform Qualitative and quantitative risk analysis processes is to determine which risks warrant a response. This is what we are going to do in the qualitative and quantitative risk analysis of processes.

We identified all the risks in the risk registered. We don’t want to move all these risks to the planet’s response to the process. Consider Perform qualitative risk analysis process as the first filter and perform quantitative risk analysis as the second filter. Risks that are assessed as high priority to either threaten or to enhance the achievement of the project objectives will be an important focus in the plan risk responses process. Now, we have three specific objectives of the Perform qualitative risk analysis process. First of all you will subjectively evaluate the probability and impact of each individual risk on the project. Then you are going to create a shorter list of risks by determining the top or critical risks that you will quantify further and or address in the planned risk responses process. We will have a shorter list as an output of this process. Also, you will make go no good decisions. Shall I PROCEED with this project or we should terminate this project? We will answer this question once we are done with the qualitative risk analysis process.

Now, what are the critical success factors to the Perform qualitative risk analysis process as paired the practice standard of Risk Management first of all we need to use an agreed upon approach. The process is based on the agreed upon approach to this assessment that is applied across all of the identified risks in the project. All risks may be assessed according to the probability of occurrence and impact on the individual project objectives.

As I mentioned and as I explained in the Risk Foundation section, the two key dimensions the first parameters you need to think about when it comes to the risk assessment are the probability and the impact. Now, in addition to the probability and the impact, there are other factors which you can consider. First of all, you can consider the urgency where risks requiring near term responses may be considered more urgent to address manageability.

 Some risks are not manageable and it would be waste of resources to attempt to address them. Impact external to the project at risk may increase in importance if it affects the enterprise upon beyond the project and there is another name of the impact external which is the strategic impact.

I’m going to explain the nine parameters of the risk assessment in the tools and techniques lecture of this section. So the first critical success factor to have an agreed upon approach before you start the risk assessment. The second critical success factor is to use an agreed upon definitions of the risk terms. The risk assessment should be based on agreed upon definitions of the important terms we are going to use and those definitions should be used consistently when assessing each risk on the project. So everybody working on the project should have the same definitions of the important risk terms. The third success factor will be to collect high quality information about the risks. High quality information is very important to make sure we have them before we start the assessment.

To have a credible result of this assessment, this information might not be available in any historical database and should be gathered by interviews, workshops and other means using expert judgment. Data gathered from individuals may be subject to reporting or intentional biases and this is what we are going to reduce by performing the qualitative risk analysis and the standard definitions. We want to reduce biases in the stakeholder’s opinions and assessment of the probability and impact. When this occurs, the bias should be identified and remedied where possible, or a different unbiased source of information should be found and used to make sure of this. Success factor. For the performing qualitative risk analysis process, there is a tool called Data Quality Assessment which we are going to use to make sure we are having the high quality information about risks. The last critical success factor is to perform iterative qualitative risk analysis.

The frequency of this effort will be planned and documented in the plan risk management process. The frequency and the timing of when we are going to perform the qualitative risk analysis process was planned already and documented as a part of the risk management plan, but may also depend on events within the project itself. Now, two terms I want you to know before we go into the IPOs of this process the project risk threshold, which I explained in the Risk Foundation section. It’s the total amount of risk acceptable on the project and usually takes the form of a maximum project risk score on a predetermined scale. There can be different opinions on the risk threshold for the project from the customer and the project manager. Management the project must meet all risk thresholds. As a project manager, you need to be aware of the risk threshold accepted by your senior management and the key stakeholders of the organization. Let’s say that I’m managing a project with a risk score, or sorry, with a risk threshold of 85. This is the risk threshold accepted by the key stakeholders and the senior management. This is the figure you need to consider while you are performing the analysis of the project risks. You should not exceed this number as per the key stakeholders requirements. So it’s the total amount of risk acceptable on the project.

What’s the project risk score? Now, to find the project risk score overall, you need to add the risk score for the individual risks on the project and then divide that sum by the number of individual risks on your project. This is how we are going to find out the overall project risk score. The individual risk score will be determined in a separate lecture of this section. The project risk score is a standard by which the risk efforts are measured. The difference in score shows the success of the risk response planning efforts during risk monitoring and control. The project risk score is pre measured and maintained throughout the life of the project.

Now, what are the ITTOs of the performing qualitative risk analysis process which I’m going to explain in the coming lectures? For the inputs we will have the project management plan with one component only the risk management plan. We will have few project documents, the assumption log, the stakeholder register and the register in addition to the enterprise environmental factors and the organizational process assets.

And for the tools and techniques, we are going to use seven tools and techniques as per the project management body of knowledge. In addition to few tools and techniques used in the practice standard of risk management, the most important one is the data representation technique, the risk probability and impact matrix. As a data representation technique, it’s the core tool of the performed qualitative risk analysis process. And we have one output only, which is the project documents updates and the project documents which will be updated as an output of this process are the assumption log, the issue log, the risk register and the risk report. This is all for the introductions and thank you so much. I’ll see you at the next lecture.

2. INPUTS

Hi and welcome back again. So what are the ITTOs? And we’ll be starting with the inputs. What are the documents I need in order to start the performance qualitative risk analysis process? I will be starting with the project management plan and the only component or subsidiary plan I will need is the risk management plan, which was an output of the plan risk management process. It will provide me with information on roles and responsibilities of conducting the risk management activities, the budget and the funding of the risk activities, the schedule and the frequency and the risk categories. Actually, while planning the risk management, we were thinking in advance on how we are going to perform that qualitative risk analysis process.

So this is why I will need the risk management plan as an input. I will need also a few project documents starting with assumption log which is used for identifying, managing and monitoring key assumptions and constraints that may affect the project.

We will test these assumptions as part of the quantitative risk analysis process. The risk register, of course, the primary input. It was an output of the previous process identifiers. In this process I’m going to analyze all the risks listed in the risk register, so it will be an important input.

The stakeholder register that contains information about project stakeholders who may be nominated as risk owners and assigning few risk owners will be part of the qualitative risk analysis process. So I need to have an information about all the project stakeholders. I’ll need also a few enterprise environmental factors and the organizational process assets. These are the only four inputs you will need in order to start the qualitative risk analysis process with the risk management plan and the risk register. The primary one. Thank you so much. I’ll see you at the next lecture.

3. TOOLS AND TECHNIQUES

Hi and welcome back again. So what are the tools and techniques we are going to use while performing the subjective or the qualitative risk analysis? I will be starting with the most commonly used one, the expert judgment as judgment provided upon expertise as an application area, knowledge area or discipline as appropriate for the activity being performed. And here we are assessing the project identified risks. So we are going to use the experts within our organization. The second tool and technique we have the data gathering techniques. The only data gathering technique I’m going to use here is the interviews. Structured or semi structured interviews can be used to assess the probability and impact of individual project risks as well as other factors. So the same concept of the interviews we were performing while identifying the project risks we are going to perform in the perform qualitative risk analysis process, I explained NDT the interviews, the advantages, the disadvantages, the steps to follow in the previous process identifier risk.

So I’m not going to explain it again. We have the data analysis techniques and the first one is the risk data quality assessment. The project team you will be relying will be relying on the data about risks acquired in the previous process, in the identifier risks process. So the risk data quality assessment technique is to make sure that the data you are using in the qualitative analysis is precise and reliable. This includes analysis of the extent of the understanding of the risk, the amount of data available about the risk, and the reliability and the integrity of the data available. So let’s assume you are performing the qualitative risk analysis on your project and you want to start before you start spending efforts on the assessing of the risks. You need to make sure that you understand this risk clearly and that the data you are relying on in order to assess this risk are reliable and the degree of the integrity of data by performing the risk data quality assessment technique. Here is an example of the data quality assessment chart.

You will analyze three dimensions. The first one is the extent of the understanding of the risk. The second one is the availability of the data about the risk. And the third one is the reliability of the data. So on a scale from one to ten, we have a risk is that the raw material may arrive late causing a two week delay in the project. The extent of understanding of the risk is nine out of ten. The availability of the data is seven out of ten, but the reliability is two out of ten. So we have an issue and the integrity and the reliability of the data available about this risk that require an additional data gathering and additional investigations of the available data. Another risk here the senior management might not support the project in the required level two out of ten. So the risk is not clear there is no data about this risk, two out of ten. But the reliability of the data available is good, it’s nine out of ten. So this is how we are going to perform the risk data quality assessment technique in the perform qualitative risk analysis process to highlight the risks with an issue of the data available. The second data analysis technique we have the risk probability and impact assessment. Risk probability assessment considers the likelihood that a specific risk will occur.

Risk impact assessment considers the potential effect on one or more project objectives such as the cost schedule or quality. Remember always that the two key dimensions for any identified risk are the probability and the impact. Risk probabilities and impacts are assessed using the definitions given in the risk management plan. Risks with low probability and impact might be included within the risk register as a part of the watch list for future monitoring. Now I want you to think about the qualitative risk analysis process as a filteration. We are going to filter the large number of risks we identified in the previous process. One of the primary key outputs of the qualitative risk analysis is the watch list. A risk register update will occur at the end of this process by adding the watch list to the rest register. The watch list is alessed with all the low priority risks.

These risks will not move to the quantitative analysis, they will not move to the plan risk responses. They will move directly from the qualitative risk analysis to the monitor risks process for future monitoring. So this is the risk probability and impact assessment. We have the assessment of other risk parameters. The project team may consider other characteristics of risks when prioritizing individual project risks. These characteristics may include the urgency, the period of time within which a response to the risk is to be implemented in order to be effective. A short period is considered a high urgency. So the two key dimensions of any risk are the probability and the impact. But you can assess other parameters which I’m going to explain. We have more than ten parameters that will depend on the complexity of the project, on the size of the project and on the risk degree of the project. So this is the first parameter, the urgency. The second one is the proximity.

The period of time before the rest might have an impact on one or more project objectives. So a short period of time is considered as a high proximity. This is the proximity parameter, the dormancy, the period of time that may elapse after a risk has occurred before the impact is discovered. So you have few risks on your project that might occur, but it will take time to discover the impact of that risk. A short period of time is considered a low dermancy. We have the manageability the ease to which the risk owner who is the person responsible for the risk can manage the occurrence or impact of a risk when management is easy of that risk this risk is considered a high manageability. We have also the controllability the degree to which the risk owner can control the risk consequences or the risk outcome where the outcome can be easily controlled.

This risk is with a high controllability detectability the is with which the results of risk occurring or being about to occur can be detected or recognized. When the risk occurrence can be detected easily detectability parameter for this risk is high the connectivity the extent to which a risk is related to other individual project risks. Where a risk is connected to many other risks connectivity is high. Does this risk is connected to other risks identified or its standalone risk? This is the connectivity we have the strategic impact of the risk the potential for the risk to have positive or negative effect on the organization’s strategic goals where the risk has a major effect on strategic goals the strategic impact parameter of this risk is high. We have also the propinquity, the last parameter the degree to which a risk is perceived to matter by one or more stakeholders where the risk is perceived as very significant propinquity t as high. These are the nine parameters you can assess. It will depend on the senior management support for the risk efforts on the project as I stated earlier on the degree of the complexity of the risk on the project. But always remember that the key dimensions are the probability and the impact. Now the fourth tool or technique we have are the interpersonal and team skills and we are going to use the facilitation which improves the effectiveness of qualitative risk analysis of individual project risks. Risk categorization risks to the project can be categorized by sources of risks to determine the areas of the project most exposed to the effect of uncertainty.

Groups of risk categories can lead to more effective risk responses by focusing attention and efforts on the areas of the highest risk exposure. So this is the benefit of categorizing the project risks. You will have categories of risks and that will help you to know the areas of the project that is most exposed to the effect of the project risk.

Now we have one of the most important tools used in the performance qualitative risk analysis process the probability and impact matrix or the Pi matrix. The exact definition of the Pi matrix is that it’s a grid formatting the probability of each risk occurrence and its impacts on the project objectives. If that risk occurs, risks are then placed on a probability and impact Pi matrix. This matrix should include both opportunities and threats. I will be starting with the probability scale before we go for the Pi matrix, the probability scale with a rating from one to ten.

A risk with a high probability will have a rating of seven or eight. Always remember that risks with nine or ten probability scale are not risks. They are considered as issues, as facts and they are not managed as a part of the risk management. Here’s an example of the impact scale. This will help you standardize the definitions of the probability and impact among the project and this will reduce the biases available on the project. So wherever there is a risk with an impact scale of seven, it means that this risk will have an impact of over budget by 30% and the project will be delayed by theory person an impact scale of three means medium reduction of time or cost reserves and so on. Now this is the Pi matrix. This is where you are going to locate all the risks you identified in the previous process. Now let’s look at the key here the risks with high or very high probability and very high impact risks.

You should definitely move into the performed quantitative risk analysis process and or the planned risk responses process. So you need to take an action, an urgent action with risks with the dark gray color. The other risks are risks you might decide to move into perform quantitative risk analysis and or plan risk responses. They are called medium risks while the lighting gray risks will be recorded in the watch list for future monitoring in the monitor risks process. This is the Pi matrix and how you are going to use it on the subjective analysis of the project. The core value of applying the Pi matrix will be to reduce the biases available on the project. It’s important that all those evaluating risk will use a standard interpretation for their assessment of probability and impact. In order to achieve consistent evaluation of risk across multiple projects. Some people may attempt to balance the results in one direction or other. It’s called the motivational bias, while the other persons will use their evaluation maybe bias due to different perception.

This is called the cognitive bias using the Pi matrix using a standard definition of the probability and impact where is it used both types of biases. Having a description for one to ten in the matrix will help eliminate some of these biases. But the risk team should continue to look to expose biases throughout the life of the project. Now, why are going to use the Pi matrix? Why? We are going to use the risk scores calculations which I’m going to explain the following lecture. We need to have a list of prioritized risks. This is the primary output of the qualitative risk analysis.

We will have a list of the prioritized risks by determining the risk ranking within a project. Remember that not all risks move forward in the risk management process as you don’t have time and money to deal with all the risks which might be hundreds for large projects. I cannot move all the risks identified in the Identifier risks process to the quantitative analysis or to the planned risk response. I need to determine the priority of each risk.

It is always a better choice to move risks forward depending on the ranking among all other or all the risks. The risk ranking is determined based on the risk scores for each risk. The risk score formula can be calculated by multiplying the probability rating by the impact rating. The main objective is to know which are the top risks that move forward and which are the non top risks that will not move forward into the risk management processes.

If risk has a probability rating of nine or ten, as I told you earlier, it’s not risk. You should not deal with this in the risk management field. It’s a fact or the issue. These issues should be addressed as a part of a product or project scope, not as a part of the risk management. So the output of all this will be having a list of privatized risks.

Then we are going to determine the risk ranking between the projects for the organization. A project’s ranking as compared to other projects affects the project management plan, and the project that has the highest ranking as compared to other projects should have the best project manager assigned to it.

A high risk ranking of a project is based on its risk score as compared to the risk scores of other projects within the organization. A high risk ranking might cause more experienced resources to be committed to the project and might get more management support. This is why we are going to determine the risk score of each project within the organization. We have also the data presentation technique, the hierarchical charts.

When risks have been categorized with more than two parameters, the probability and impact matrix cannot be used. It’s a pi matrix. Only two dimensions and other graphical representations should be used. It’s also called the bubble charts.

The bubble charts display three dimensions of data where each rest is plotted as a bubble and the three parameters are represented by the x axis value, the y axis value and the bubble size. So the bubble charts are used to represent risks on the project based on three parameters instead of two parameters. Meetings project team may conduct specialist meetings for project risk identification, such as risk workshops for risk identification and for the subjective analysis and assessment of the existing project desks here is the bubble chart.

The three parameters we are using in the bubble chart will be the proximity, the detectability and the impact value. On the y axis, we are representing the proximity of a risk on the x axis, the detectability of the risk and the bubble size itself is the impact value.

So large bubbles in this area are unacceptable because large bubbles here represents a high proximity, a high detectability and a high impact value. Tool and technique number eight is the analytic hierarchy process. AHP. It’s a method to calibrate preferences for achieving the different objectives of a project. So this technique is also used for the evaluation, for the subjective evaluation of the risks identified. But it will consider a relative waiting for each objective.

What’s the relative waiting for the project objectives in terms of their priority to the stakeholders or to management. The results are weights that reflect the relative priority of each objective. The prioritization can be important in determining how trade offs affecting different objectives will be decided. It can be also used to create an overall project risk priority list from risks that have been assessed on their implications for individual projects.

So the AHP technique is used like the Pi matrix, like the risk score calculations, but with the only difference that the AHP technique will give an attention to the relative weightings of the project objectives in terms of their priority to the key stakeholders on the project. Which matters most, the scope or the quality or the cost and so on. This is the relative weighting or the relative score. You cannot perform the AHP by manual. There is a specialized software implementing the AHP and a spreadsheet implementation. I’m going to show you right now. Here is an example of the preference factors. A one means equally preferred, a four means greatly preferred and a five it’s a must, it’s always preferred. And here is an input matrix for the preference factors showing the four objectives and the trade offs, the cost, the time, the scope and the quality. And here is an example of the weighting factors as a result of applying that AHP technique.

So again, it’s a technique used for the evaluation purposes, but it will give a consideration for the weight of each objective and this weight will be prepared as an input of the key stakeholders on the project. The last tool will be the technique will be the estimating techniques applied to probability and impact. And this technique is based on the ranges of estimates for the probability and impact. One common way of specifying the probability of a risk occurring is to assign levels of risk probability by ranges of probability. The benefit of this approach is that the subject matter experts only need to assess a risk probability within a range rather than a specific value.

Some key stakeholders, prefer key stakeholders, sorry, prefer to assess risk based on a range instead of a specific value. Note that opportunities are to be treated as representing a positive saving in time or cost or increased functionality. For threats. Each impact scale is interpreted negatively like time delays, increased costs or reduced functionality. Here is an example of the estimation techniques. For example, a risk on a scale of medium will have a probability of 21% to 40% and the impact on the schedule will be eleven to twelve days and the cost impact will be $51 to $100,000. And for quality purposes, some impact in key functional areas. Note that all the estimates are within a range. They are not specific values. This is all for the qualitative risk analysis process. Thank you so much. I will see you at the next lecture. I will explain the risk score calculations in a brief way.